Right To Be Forgotten And Digital Privacy

  • Right To Be Forgotten And Digital Privacy

    Last month, an interim order was issued by the High Court of Delhi directing Google and IndianKanoon to remove access to a judgment from their portals. The High Court had applied the the Right to Be Forgotten ("RTBF") principles. This order, perhaps, marks the beginning for constitutional courts exercising writ jurisdiction issuing such directions. Though RTBF is well established across...


    Last month, an interim order was issued by the High Court of Delhi directing Google and IndianKanoon to remove access to a judgment from their portals. The High Court had applied the the Right to Be Forgotten ("RTBF") principles. This order, perhaps, marks the beginning for constitutional courts exercising writ jurisdiction issuing such directions. Though RTBF is well established across the world, Indian courts have not had much occasion to deal with the same. However, this may soon change as more petitions are likely to be filed on account of the evolving international jurisprudence and impending enactment of the Indian Personal Data Protection Bill.

    Do We Have a Right to Be Forgotten?

    At present, the data protection regime in India does not contain the RTBF principles but there is a compelling argument that this right must be read as part of Article 21 of the Constitution of India. Such an interpretation is a result of the law laid down in Justice (Retd.) K.S. Puttaswamy and Anr. vs Union of India and Ors (2017) case which confirmed the right to privacy to be part and parcel of the fundamental right to life and personal liberty enshrined in the Constitution. Specifically, the concurring judgment authored by the Hon'ble Mr Justice SK Kaul talks about the "right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the internet." The judgment further records that "the existence of such a right does not imply that a criminal can obliterate his past, but that there are variant degrees of mistakes, small and big, and it cannot be said that a person should be profiled to the nth extent for all and sundry to know."

    Even before the landmark judgment in Justice (Retd.) K.S. Puttaswamy case, various courts have considered variations of RTBF principles. In the case of R. Raja Gopal v State of Tamilnadu (1994), the right of privacy of prisoners was recognized by the Supreme Court for the first time. Similarly, in the cases of State of Punjab v Gurmit Singh and Ors (1996) and State of Karnataka v Putta Raja (2003), the Supreme Court has held that anonymity can help protect victims of sexual offence from social ostracism. In Sri Vasunathan v The Registrar General (2017), the Karnataka High Court recognized RTBF principles in sensitive cases involving women in general as well highly sensitive cases involving rape or affecting the modesty of the person.

    More recently, the Delhi High Court, while hearing a suit for permanent injunction, recognized RTBF principles as inherent aspects of right to privacy. However, recenlty in the case of Jorawer Singh Mundy @ Jorawar Singh Mundy v Union of India and Ors (2021), the Delhi High Court, under Article 226 of the Constitution of India, made an interim order protecting the rights of an American citizen. The Writ Petitioner had moved the writ court seeking removal of a judgment of acquittal in a case filed under The Narcotic Drugs and Psychotropic Substances Act (1985) claiming that the continuation of the existence of the said judgment on the websites / portals of Google and Indiankanoon had caused irreparable damage to his social life as well as career prospects.

    International Jurisprudence of RTBF

    In the United Kingdom Rehabilitation of Offenders Act (1974) and the 'Spent Conviction Scheme' have the effect of limiting the disclosure of certain offences of citizens after a stipulated period known as the 'spent' period. However, the right to erasure as part of RTBF took shape largely from the 1995 Directive of the European Union on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In the case of Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (2014) re-affirmed the principles of RTBF, which were subsequently established in the European Union General Data Protection Regulations (GDPR) 2016, which came into force on the 25th May 2018. In the UK, GDPR has been implemented under the Data Protection Act 1998, which governs transfer of all personal data including the ability to appeal to the Information Commissioners Office, in the event, search engines refuse to remove personal data which are spent The remit of the way the RTBF has been examined in detail in High Court of England and Wales in the matter of NT1 & NT2 v Google LLC [2018] EWHC 799. Both NT1 and NT2 (whose identities were anonymised) sued Google after it refused to remove information about their spent convictions from search results. In both case, the court balanced the individuals' rights to have damaging personal data removed against Google's interest in processing their personal data. The European Court of Justice (ECJ) has, also, in particular, been at the forefront of confirming RTBF. In Google LLC v. Commission nationale de l'informatique et des libertés (CNIL) (2019), ECJ has discussed in length about the territorial scope of de-referencing by a search engine operator once the request for the same has been granted to a data subject. Similarly, in the case of GC, AF, BH, ED v Commission nationale de l'informatique et des libertés (CNIL) (2019), ECJ has tried to balance the right to privacy of data subjects against that of the right to know of public at large.

    Indian Personal Data Protection Bill

    India has been a late entrant to internet privacy and it was only in 2019, the Personal Data Protection (PDP) Bill was introduced in the Lok Sabha. The PDP Bill differs from GDPR with regard to RTBF. While GDPR allows permanent erasure of personal data immediately: (i) where it is no longer needed for its original processing purpose; (ii) when consent is withdrawn or (iii) when there are no overriding legitimate grounds for processing; the PDP Bill allows total erasure only on the first ground. Under the PDP Bill, the data principal would be required to directly apply to the Adjudicating Officer, not the data fiduciary and even third parties can seek review of the order against disclosure.

    It is trite that RTBF is not an unconditional right; and in order to acquire the same, the onus lies on the data principal to show that their right/interest in restricting continued disclosure of their personal data overrides the right to freedom of speech and expression and right to information of any citizen. Nevertheless, with countries like the United Kingdom, Australia and other member states of the European Union leaning strongly in favour of RTBF, it is time for India to re-calibrate our legal and statutory framework in this regard. If the PDP Bill is passed in its current form, the discretion of the Adjudicating Officer has to be carefully exercised on a case-to-case basis, as to whether the RTBF of a particular offender outweighs the interests of prevention and detection of offences; or if the personal data is used for domestic or commercial purposes and so on, instead of a blanket response for all cases. In light of the recent pronouncements in Jorawer Singh Mundy @ Jorawar Singh Mundy v Union of India and Ors (2021) by the Delhi High Court, this may also open the floodgates of litigation under the writ jurisdiction in the months and years to come.

    Views are personal.

    Authors are advocates at the firm Ganesan and Manuraj Legal LLP , Chennai.


    Next Story